Peeling The Covers Off of Rock

For the past couple of years, at least, we have been watching a sophisticated, disciplined phishing scheme targeting dozens of banks around the world. By some estimates, “Rock” is responsible for about half of all phishing in the world. Rock phishes have a pretty simple set of characteristics to them:

  • They are advertised in image spam, using junk text and a link in the image to the phishing site.
  • Each phishing site has a number of unique URLs pointing to it, each URL with minor hostname variants to confound blacklists. Each URL is spammed in limited quantities to make blocking and URL sharing harder without a lot of visibility.
  • Each phishing host just silently proxies the attack to a central phishing server to ease data collection.
  • DNS resolution of those URLs changes several times an hour.
  • Rock phish events target dozens of brands at once.
  • Rock phish URLs have specific and unique characteristics structure to them (too complex to be described here).

The Rock phish kit is not publicly available, does not appear to be in use by anyone else (although some basic copycats are emerging), and has a scale far beyond any other phishing schemes. It’s not to say that people haven’t been investigating, the data is just limited and peeling back the layers is tough.On the one hand, it can be argued that Rock phishing skews data and statistics using single-use URLs that all point to a small handful of hosts. This makes a single phishing attack explode from a single attack against a few dozen brands to hundreds or, in some cases, thousands of attacks against those brands. To paraphrase someone, “If you think Fifth Third is being phished more than eBay, you’re wrong.” That’s true, they’re all part of one attack. However, it’s accurate when you think about blacklists and how many DNS entries point to the phishing site. The raw numbers may make it difficult to really see what’s going on, but they represent the complexity of the problem quite nicely. Here’s a list of hosts from ATLAS and the number of phishing URLs we’ve seen for each.


Not a lot gets written about Rock phishing, but when it is written it’s usually interesting. I have an interest in Rock because of the team’s discipline, their continued success and activities, and their scale. In Security matters: The almost perfect bank heist, Arjen de Landgraaf writes a nice summary of their research into Rock and the people behind it. An operation this large warrants some attention, and much of Arjen’s data jives with mine built up over the years based on my own research and data I’ve received from others.

It’s true, however, that when you start talking about the Rock phish, you get an almost Keyser Soze response from veteran phishing phighters.

Comments are closed.